LAS VEGAS -- Radio frequency ID tags embedded in U.S. passports can be read hundreds of feet away, potentially making it inexpensive and easy to pick American tourists out of crowds for illicit purposes, a demonstration at Black Hat 2010 showed.

Using off-the-shelf gear he bought in stores and on eBay for less than $2,500, researcher Chris Paget pieced together a system that he says has read the tags at 217 feet, but he believes the same apparatus set up under better conditions could read them at 1,000 feet. He says he's willing to give it a whirl during the Black Hat conference if someone can get him access to a rooftop.

The same RFID chips are used in Canadian passports and in New York State drivers' licenses, he says. They are also used for inventory control at Wal-mart.

Paget says he is uncertain what personal data is included on the chips, but at the very least it would be possible to figure out based on batch numbers gleaned from these devices who issued the IDs and hence where the holder is from. The U.S. government says the chips contain all the information printed on the passport, including a digital copy of the photo.

Security expert Bruce Schneier has written about the passport chips in his blog. "It means that passport holders are continuously broadcasting their name, nationality, age, address and whatever else is on the RFID chip. It means that anyone with a reader can learn that information, without the passport holder's knowledge or consent. It means that pickpockets, kidnappers and terrorists can easily -- and surreptitiously -- pick Americans or nationals of other participating countries out of a crowd," Schneier wrote.

He imagined scenarios where if the tags were common enough so that people wore more and carried more than one, malls could scan customers for these IDs as they enter, creating a digital ID fingerprint for shoppers and then track exactly where they go while in the mall. This could provide valuable marketing data, he says.

In general RFID chips get turned on by power in radio waves sent at them, and they use that power to respond with a signal picked up by a receiver associated with the transmitter. "The tag needs a burst of power to turn on, then drops down in power," he says.

The chips used in the Black Hat demo - EPC Gen 2 - respond by tuning the radio waves that they reflect, absorbing some of them to power the chip, which then determines how much of the signal to reflect back at the transmitter, which is much the same way radar works. Paget used equations used in predicting radar performance to optimize standard, off-the-shelf RFID transmitters/receivers.

The chips use what is known as the 900MHz industrial, scientific and medical (ISM) frequency band, which is a frequency that ham radio operators are allowed to use for communication, but they have to accept whatever interference ISM devices cause. In RFID applications, the maximum power used to transmit radio waves to the chips is 1 Watt, Paget says.

But making the transmitter behave instead like a ham radio station and applying the maximum legal power that hams can use - 1.5K watts - the theoretical upper limit for the read range of his architecture jumps from feet to about two miles. Larger antennas and more powerful transmitters, such those available to the military, could push that limit to 80 miles, he says.

He applied more power than would normally be used and optimized the antennas receiving data from the chips to extend the range at which they can be read with standard transmitters and receivers, about 35 feet. The chips themselves are unmodified, Paget says.

Limiting factors include noise and interference from other transmitters, crosstalk with the transmitting side.